kitty.model.low_level.mutated_field module

Fields to perform mutation fuzzing

In some cases, you might not know the details and structure of the fuzzed protocol (or might just be too lazy) but you do have some examples of valid messages. In these cases, it makes sense to perform mutation fuzzing. The strategy of mutation fuzzing is to take some valid messages and mutate them in various ways. Kitty supports the following strategies described below. The last one, MutableField, combines all strategies, with reasonable parameters, together.

Currently all strategies are inspired by this article: http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html

class kitty.model.low_level.mutated_field.BitFlip(value, num_bits=1, fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.field.BaseField

Perform bit-flip mutations of N sequential bits on the value

Example:
BitFlip('\x01', 3)
Results in: '\xe1', '\x71', '\x39', '\x1d', '\x0f', '\x06'
__init__(value, num_bits=1, fuzzable=True, name=None)[source]
Parameters:
  • value – value to mutate (str)
  • num_bits – number of consequtive bits to flip (invert)
  • fuzzable – is field fuzzable (default: True)
  • name – name of the object (default: None)
Raises:

KittyException if num_bits is bigger than the value length in bits
Raises:

KittyException if num_bits is not positive
get_info()[source]
hash()[source]
class kitty.model.low_level.mutated_field.BitFlips(value, bits_range=[1, 2, 3, 4], fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.container.OneOf

Perform bit-flip mutations of (N..) sequential bits on the value

__init__(value, bits_range=[1, 2, 3, 4], fuzzable=True, name=None)[source]
Parameters:
  • value (str) – value to mutate
  • bits_range – range of number of consequtive bits to flip (default: range(1, 5))
  • fuzzable – is field fuzzable (default: True)
  • name – name of the object (default: None)
Example:
BitFlips('\x00', (3, 5))
Results in: '\xe0', '\x70', '\x38', '\x1c', '\x0e', '\x07' - 3 bits flipped each time
            '\xf8', '\x7c', '\x3e', '\x1f' - 5 bits flipped each time
class kitty.model.low_level.mutated_field.BlockDuplicate(value, block_size, num_dups=2, fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.mutated_field.BlockOperation

Duplicate a block of bytes from the default value, each mutation moving one byte forward.

__init__(value, block_size, num_dups=2, fuzzable=True, name=None)[source]
Parameters:
  • value (str) – value to mutate
  • block_size – number of consequtive bytes to duplicate
  • num_dups – number of times to duplicate the block (default: 1)
  • fuzzable – is field fuzzable (default: True)
  • name – name of the object (default: None)
Raises:

KittyException if block_size is bigger than the value length in bytes
Raises:

KittyException if block_size is not positive
hash()[source]
class kitty.model.low_level.mutated_field.BlockDuplicates(value, block_size, num_dups_range=(2, 5, 10, 50, 200), fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.container.OneOf

Perform block duplication with multiple number of duplications

__init__(value, block_size, num_dups_range=(2, 5, 10, 50, 200), fuzzable=True, name=None)[source]
class kitty.model.low_level.mutated_field.BlockOperation(value, block_size, fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.field.BaseField

Base class for performing block-level mutations

__init__(value, block_size, fuzzable=True, name=None)[source]
Parameters:
  • value (str) – value to mutate
  • block_size – number of consequtive bytes to operate on
  • fuzzable – is field fuzzable (default: True)
  • name – name of the object (default: None)
Raises:

KittyException if block_size is bigger than the value length in bytes
Raises:

KittyException if block_size is not positive
hash()[source]
class kitty.model.low_level.mutated_field.BlockRemove(value, block_size, fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.mutated_field.BlockOperation

Remove a block of bytes from the default value, each mutation moving one byte forward.

__init__(value, block_size, fuzzable=True, name=None)[source]
Parameters:
  • value (str) – value to mutate
  • block_size – number of consequtive bytes to remove
  • fuzzable – is field fuzzable (default: True)
  • name – name of the object (default: None)
Raises:

KittyException if block_size is bigger than the value length in bytes
Raises:

KittyException if block_size is not positive
class kitty.model.low_level.mutated_field.BlockSet(value, block_size, set_chr, fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.mutated_field.BlockOperation

Set a block of bytes from the default value to a specific value, each mutation moving one byte forward.

__init__(value, block_size, set_chr, fuzzable=True, name=None)[source]
Parameters:
  • value (str) – value to mutate
  • block_size – number of consequtive bytes to duplicate
  • set_chr – char to set in the blocks
  • fuzzable – is field fuzzable (default: True)
  • name – name of the object (default: None)
Raises:

KittyException if block_size is bigger than the value length in bytes
Raises:

KittyException if block_size is not positive
class kitty.model.low_level.mutated_field.ByteFlip(value, num_bytes=1, fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.field.BaseField

Flip number of sequential bytes in the message, each mutation moving one byte forward.

Example:
ByteFlip('\x00\x00\x00\x00', 2)
# results in:
'\xff\xff\x00\x00'
'\x00\xff\xff\x00'
'\x00\x00\xff\xff'
__init__(value, num_bytes=1, fuzzable=True, name=None)[source]
Parameters:
  • value (str) – value to mutate
  • num_bytes – number of consequtive bytes to flip (invert)
  • fuzzable – is field fuzzable (default: True)
  • name – name of the object (default: None)
Raises:

KittyException if num_bytes is bigger than the value length
Raises:

KittyException if num_bytes is not positive
get_info()[source]
hash()[source]
class kitty.model.low_level.mutated_field.ByteFlips(value, bytes_range=(1, 2, 4), fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.container.OneOf

Perform byte-flip mutations of (N..) sequential bytes on the value

__init__(value, bytes_range=(1, 2, 4), fuzzable=True, name=None)[source]
Parameters:
  • value (str) – value to mutate
  • bytes_range – range of number of consequtive bytes to flip (default: (1, 2, 4))
  • fuzzable – is field fuzzable (default: True)
  • name – name of the object (default: None)
Example:
ByteFlips('\x00\x00\x00\x00', (2,3))
Results in:
'\xff\xff\x00\x00', '\x00\xff\xff\x00', '\x00\x00\xff\xff'  # 2 bytes flipped each time
'\xff\xff\xff\x00', '\x00\xff\xff\xff'  # 3 bytes flipped each time
class kitty.model.low_level.mutated_field.MutableField(value, encoder=<kitty.model.low_level.encoder.ByteAlignedBitsEncoder object>, fuzzable=True, name=None)[source]

Bases: kitty.model.low_level.container.OneOf

Container to perform mutation fuzzing on a value ByteFlips, BitFlips and block operations

__init__(value, encoder=<kitty.model.low_level.encoder.ByteAlignedBitsEncoder object>, fuzzable=True, name=None)[source]
Parameters:
  • value (str) – value to mutate
  • encoder (BitsEncoder) – encoder for the container (default: ENC_BITS_BYTE_ALIGNED)
  • fuzzable – is fuzzable (default: True)
  • name – (unique) name of the template (default: None)